diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-03-31 11:10:42 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-03-31 11:48:03 +0200 |
commit | aeb7573732347cd0bbf0e3d7e560a53f875313cf (patch) | |
tree | ba1f0c53a0d7d8ac5a9a2644257dd7de6383e7b8 | |
parent | 548a225fb616ee66afb8411f282d44148f67898c (diff) | |
download | seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar.gz seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar.bz2 seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar.lz seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar.xz seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.tar.zst seitan-aeb7573732347cd0bbf0e3d7e560a53f875313cf.zip |
tests: add tests for filtering the syscalls
-rw-r--r-- | tests/unit/Makefile | 16 | ||||
-rw-r--r-- | tests/unit/test_filter.c | 93 | ||||
-rw-r--r-- | tests/unit/testutil.h | 1 | ||||
-rw-r--r-- | tests/unit/util.c | 15 |
4 files changed, 122 insertions, 3 deletions
diff --git a/tests/unit/Makefile b/tests/unit/Makefile index 1c3a413..aeaf6ae 100644 --- a/tests/unit/Makefile +++ b/tests/unit/Makefile @@ -7,8 +7,13 @@ OP_DIR := ../../ COOKER_DIR := ../../cooker DBG_DIR := ../../debug -SRCS_FILTER := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c -HEADERS_FILTER := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h +SRCS_FILTER_BUILD := $(COOKER_DIR)/filter.c $(DBG_DIR)/disasm.c $(COMMON_DIR)/common.c +HEADERS_FILTER_BUILD := $(COOKER_DIR)/filter.h $(DBG_DIR)/disasm.h $(COMMON_DIR)/common.h + +SRCS_FILTER := $(COOKER_DIR)/filter.c $(COMMON_DIR)/common.c util.c \ + $(DBG_DIR)/disasm.c +HEADERS_FILTER := $(COOKER_DIR)/filter.h $(COMMON_DIR)/common.h \ + $(DBG_DIR)/disasm.h testutil.h HEADERS_OP_CALL := $(COMMON_DIR)/gluten.h $(OP_DIR)/operations.h SRCS_OP_CALL := $(OP_DIR)/operations.c @@ -33,11 +38,16 @@ CFLAGS += -DSEITAN_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH) -DTMP_DATA_SIZE=1000 test: test-filter test-operations test-op-call -test-filter-build: test_filter_build.c $(SRCS_FILTER) $(HEADERS_FILTER) +test-filter-build: test_filter_build.c $(SRCS_FILTER_BUILD) $(HEADERS_FILTER_BUILD) $(CC) $(CFLAGS) -o test-filter-build $(SRCS_FILTER) \ test_filter_build.c ./test-filter-build +test-filter: test_filter.c $(SRCS_FILTER) $(HEADERS_FILTER) + $(CC) $(CFLAGS) -o test-filter $(SRCS_FILTER) \ + test_filter.c + ./test-filter + test-op-call: test_op_call.c $(SRCS_OP_CALL) $(HEADERS_OP_CALL) $(CC) $(CFLAGS) -o test-op-call $(SRCS_OP_CALL) \ test_op_call.c diff --git a/tests/unit/test_filter.c b/tests/unit/test_filter.c new file mode 100644 index 0000000..5ff9d65 --- /dev/null +++ b/tests/unit/test_filter.c @@ -0,0 +1,93 @@ +/* SPDX-License-Identifier: GPL-3.0-or-later + * Copyright 2023 Red Hat GmbH + * Author: Alice Frosi <afrosi@redhat.com> + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sched.h> +#include <unistd.h> +#include <limits.h> +#include <fcntl.h> +#include <sys/prctl.h> +#include <sys/syscall.h> +#include <sys/ioctl.h> +#include <sys/wait.h> +#include <linux/audit.h> +#include <linux/filter.h> +#include <linux/seccomp.h> +#include <sys/mman.h> +#include <sys/un.h> +#include <sys/socket.h> + +#include <check.h> + +#include "gluten.h" +#include "common.h" +#include "testutil.h" +#include "filter.h" + +static int generate_install_filter(struct args_target *at) +{ + struct bpf_call calls[] = { {} }; + struct syscall_entry table[] = { + { .count = 1, .nr = at->nr, .entry = &calls[0] } + }; + struct sock_filter filter[30]; + unsigned int size; + + size = create_bfp_program(table, filter, 1); + return install_filter(filter, size); +} + +void setup_build_filter() +{ + at = mmap(NULL, sizeof(struct args_target), PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + at->check_fd = false; + at->nr = __NR_getpid; + at->args[0] = NULL; + at->install_filter = generate_install_filter; + setup(); +} + +START_TEST(filter) +{ + continue_target(); +} +END_TEST + + +Suite *op_call_suite(void) +{ + Suite *s; + int timeout = 30; + TCase *simple; + + s = suite_create("Test filter with target"); + + simple = tcase_create("simple"); + tcase_add_checked_fixture(simple, setup_build_filter, teardown); + tcase_set_timeout(simple, timeout); + tcase_add_test(simple, filter); + suite_add_tcase(s, simple); + + return s; +} + +int main(void) +{ + int no_failed = 0; + Suite *s; + SRunner *runner; + + s = op_call_suite(); + runner = srunner_create(s); + + srunner_run_all(runner, CK_VERBOSE); + no_failed = srunner_ntests_failed(runner); + srunner_free(runner); + return (no_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/tests/unit/testutil.h b/tests/unit/testutil.h index 896d690..d4f83af 100644 --- a/tests/unit/testutil.h +++ b/tests/unit/testutil.h @@ -41,5 +41,6 @@ void check_target_result(long ret, int err, bool ignore_ret); void setup(); void teardown(); int install_notification_filter(struct args_target *at); +void continue_target(); #endif /* TESTUTIL_H */ diff --git a/tests/unit/util.c b/tests/unit/util.c index d4109b0..c6fc3fb 100644 --- a/tests/unit/util.c +++ b/tests/unit/util.c @@ -155,6 +155,21 @@ void check_target_result(long ret, int err, bool ignore_ret) ck_assert_int_eq(close(pipefd[0]), 0); } +void continue_target() +{ + struct seccomp_notif_resp resp; + int ret; + + ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_ID_VALID, &req.id); + ck_assert_msg(ret == 0, strerror(errno)); + resp.id = req.id; + resp.flags = SECCOMP_USER_NOTIF_FLAG_CONTINUE; + resp.error = 0; + resp.val = 0; + ret = ioctl(notifyfd, SECCOMP_IOCTL_NOTIF_SEND, &resp); + ck_assert_msg(ret == 0, strerror(errno)); +} + void setup() { int ret; |